This doesn’t surprise me. I think most teams are split into multiple units: there’s one lot building an API using Django plus DRF, and another building the frontend with React or Vue or… Where there’s budget, there’s a third (or forth) team building native mobile apps, hitting the same API.
Most times, I’d guess, the frontend web team can’t have or don’t want any dependency on the Django project, so they can’t serve their app in development via the Django application. This means they put it on the separate subdomain,
app., and so they need the CORS headers set.
It’s not how I’d do it on a solo project, or ideally in a team environment where there wasn’t such a wall between the groups, but, if I had to lay money, I’d punt that’s how it’s done in most shops in the wild.
In production, I too would have the frontend server set the headers, but it’s already working is a pretty powerful pull, and I’d guess a reasonable amount of folks aren’t necessarily deploying to an environment where they (easily) get to control these things. (I guess it’s similar to whitenoise: it sets all these headers that, surely, are the web server’s job. But what if there’s no web server? Or if you forget/don’t have time to set it up properly? … — that’s a massive tangent.)
Who knows? Interesting.